Running 6.1 SP2 CFP7 our authors also face this from time to time. They may or may not have logged out, and then return to a few days later. The system prompts to login thru our SSO after which they can browse but not edit. The alert opens when any edit is attempted regardless of UI, page customization, and OOTB pages (e.g. /siteadmin). It definitely has something to go with the CSRF token and happens especially after restarting the author instance.
I may have reproduced the problem recently. Since restarting on Friday and logging back on Monday, I found edits generated the popup stating "Your request could not be completed because you have signed out." Of course I am freshly signed in. Looking at the network tab I see CSRF token ( /libs/granite/csrf/token.json ) is loading from disk cache.
Opening the CSRF resource from Chrome's browser disk cache, I see that it is Adobe Manage Services' maintenance page, which is given when their health-check fails. After reloading this resource (not clearing any other cache), the problem was resolved. The CSRF token resource has cache-control set for 'no-cache' (not 'no-store'). The cache is refreshed when the ETag is updated, so that offers efficiency I wouldn't want to change. But the maintenance page has no cache-control whatsoever. In this case, I think we need to set cache-control no-store on the maintenance page. This way hopefully the browsers won't cache the error responses.
